Change doc for Mokey -> FreeIPA access creation

[mhaluska]

This part is really not nice solution, you should not create standard user for Mokey app.

1. New role is not required, there already exist 'User Administrator'
2. Don't use user, use service

$ mkdir /etc/mokey/keytab
$ kinit adminuser
$ ipa service-add mokey/server.example.com
$ ipa role-add-member 'User Administrator' --services=mokey/[email protected]
$ ipa-getkeytab -s freeipa.example.com -p mokey/[email protected] -k /etc/mokey/keytab/mokeyapp.keytab
$ chmod 640 /etc/mokey/keytab/mokeyapp.keytab
$ chgrp mokey /etc/mokey/keytab/mokeyapp.keytab

[g5pw]

Please note, the "User Administrator" role gives more permissions to the mokey service, namely

• User Administrators
• Group Administrators
• Stage user Administrators

There's a subtle difference between the "user Administrator" role and the "User Administrators" privilege.

[aebruno]

@g5pw @mhaluska Thanks for pointing this out. Would be good to figure out the min permissions required to run the mokey service and add those to the docs. You can always create a specific role for mokey which would give you complete control over the permissions.